This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Yet another report of "[WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service"

UTM 9.710-1

Warning e-mail: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service

I've seen this problem before and solved it using the steps described in this posting by Pawan:

https://community.sophos.com/utm-firewall/f/general-discussion/131592/issues-with-renewal-of-let-s-encrypt-certificate/484050#484050

I solved the problem again this morning by following these steps, but the sad thing is that this problem continues to occur over multiple releases of the UTM. This is apparently an infrequent issue, but once the UTM begins to fail to renew, my experience has been that actions like the above are required to solve the problem. In this case I let it try to renew over the course of 12 days with each attempt failing the same way.

Deleting the CA certificate (that was not expired) and then manually renewing the Let's Encrypt certificate as described by Pawan solves the problem. I wonder if the fault may lie in the UTM's renew_certificate.pl script as this is the component mentioned in both the CA and Let's Encrypt certificate's "i" (show where this object is in use...). Looking at this script I note that it is the one that seems to be responsible for the TOS_UNAVAILABLE error that underlies the [WARN-603] error. I have replaced the URLs with the DELETED in the logs below.

2022:04:16-04:08:02 utm-m letsencrypt[31277]: I Check renewal: renew REF_CaCsrWebseProte (domains: DELETED): certificate valid until May  3 20:54:21 2022 GMT (less than 30 days)

2022:04:16-04:09:02 utm-m letsencrypt[31588]: E Renew certificate: Incorrect response code from ACME server: 500

2022:04:16-04:09:02 utm-m letsencrypt[31588]: E Renew certificate: URL was: https://acme-v02.api.letsencrypt.org/directory

2022:04:16-04:09:02 utm-m letsencrypt[31588]: I Renew certificate: handling CSR REF_CaCsrWebseProte for domain set [DELETED]

2022:04:16-04:09:02 utm-m letsencrypt[31588]: E Renew certificate: TOS_UNAVAILABLE: Could not obtain the current version of the Let's Encrypt Terms of Service

2022:04:16-04:09:02 utm-m letsencrypt[31588]: I Renew certificate: sending notification WARN-603

2022:04:16-04:09:02 utm-m letsencrypt[31588]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service

2022:04:16-04:09:02 utm-m letsencrypt[31588]: I Renew certificate: execution failed
Deleting the CA certificate and then renewing manually seems to trigger the script(s) to --accept-terms for the domains involved and then the subsequent renewal process completes properly:
2022:04:16-06:30:02 utm-m letsencrypt[9581]: I Renew certificate: handling CSR REF_CaCsrWebseProte for domain set [DELETED]

2022:04:16-06:30:02 utm-m letsencrypt[9581]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain DELETED --domain DELETED --domain DELETED --domain DELETED

2022:04:16-06:30:26 utm-m letsencrypt[9581]: I Renew certificate: command completed with exit code 0

2022:04:16-06:30:26 utm-m letsencrypt[9581]: I Renew certificate: previous certificate exists, updating from /var/storage/chroot-reverseproxy/var/lib/dehydrated/cert_data/certs/DELETED/fullchain.pem

2022:04:16-06:30:28 utm-m letsencrypt[9581]: I Renew certificate: updated certificate REF_rVEWhVgkNZYk of CSR REF_CaCsrWebseProte

2022:04:16-06:30:28 utm-m letsencrypt[9581]: I Renew certificate: execution completed (CSRs renewed: 1, failed: 0)
--Larry


This thread was automatically locked due to age.